-
CVE-2025-39894
- EPSS 0.03%
- Published 01.10.2025 08:15:31
- Last modified 02.10.2025 19:12:17
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> ---[ end trace 0000000000000000 ]--- To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning. If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
d00c8b0daf56012f69075e3377da67878c775e4c
Version
7c3f28599652acf431a2211168de4a583f30b6d5
Status
affected
Version <
ccbad4803225eafe0175d3cb19f0d8d73b504a94
Version
2b1414d5e94e477edff1d2c79030f1d742625ea0
Status
affected
Version <
50db11e2bbb635e38e3dd096215580d6adb41fb0
Version
80cd0487f630b5382734997c3e5e3003a77db315
Status
affected
Version <
c47ca77fee9071aa543bae592dd2a384f895c8b6
Version
62e7151ae3eb465e0ab52a20c941ff33bb6332e9
Status
affected
Version <
a74abcf0f09f59daeecf7a3ba9c1d690808b0afe
Version
62e7151ae3eb465e0ab52a20c941ff33bb6332e9
Status
affected
Version <
479a54ab92087318514c82428a87af2d7af1a576
Version
62e7151ae3eb465e0ab52a20c941ff33bb6332e9
Status
affected
Version
cb734975b0ffa688ff6cc0eed463865bf07b6c01
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
6.8
Status
affected
Version <
6.8
Version
0
Status
unaffected
Version <=
5.15.*
Version
5.15.192
Status
unaffected
Version <=
6.1.*
Version
6.1.151
Status
unaffected
Version <=
6.6.*
Version
6.6.105
Status
unaffected
Version <=
6.12.*
Version
6.12.46
Status
unaffected
Version <=
6.16.*
Version
6.16.6
Status
unaffected
Version <=
*
Version
6.17
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.081 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|